Otu esi edobe ọkụ Iptables iji mee ka ịnweta ọrụ dị na Linux - Nkebi 8

Ewebata Mmemme Asambodo Foundation Linux

Ị ga-echeta site na Nkebi 1 - Banyere Iptables nke usoro LFCE (Linux Foundation Certified Engineer) nke anyị nyere nkọwa bụ isi nke ihe firewall bụ: usoro iji jikwaa. ngwugwu na-abata ma na-ahapụ netwọk ahụ. Site na \jikwaa anyị pụtara n'ezie:

  1. Ikwe ka ma ọ bụ gbochie ụfọdụ ngwugwu ịbanye ma ọ bụ hapụ netwọk anyị.
  2. Iji zipu ngwugwu ndị ọzọ site n'otu ebe netwọk gaa na nke ọzọ.

dabere na njirisi eburu ụzọ kpebie.

N'isiokwu a, anyị ga-atụle otu esi emejuputa nzacha ngwugwu na otu esi ahazi firewall na iptables, frontend to netfilter, nke bụ modul kernel nke a na-eji maka firewalling.

Biko mara na firewalling bụ nnukwu isiokwu na e bu n'obi na isiokwu a abụghị ka ọ bụrụ ntụzịaka zuru oke iji ghọta ihe niile a ga-amata gbasara ya, kama ka ọ bụrụ mmalite maka nyocha miri emi nke isiokwu a. Agbanyeghị, anyị ga-elegharịgharị isiokwu a na Nkebi nke 10 nke usoro isiokwu a mgbe anyị nyochara ihe ole na ole kpọmkwem ojiji nke firewall na Linux.

Ị nwere ike iche maka firewall dị ka ọdụ ụgbọ elu mba ụwa ebe ụgbọ elu ndị njem na-abịa na-aga ihe fọrọ nke nta ka ọ bụrụ 24/7. Dabere n'ọtụtụ ọnọdụ, dị ka nkwado nke paspọtụ mmadụ, ma ọ bụ obodo ya (ịkpọ aha ole na ole) enwere ike, ma ọ bụ na ọ gaghị enwe ike ịbanye ma ọ bụ hapụ obodo ụfọdụ.

N'otu oge ahụ, ndị ọrụ ọdụ ụgbọ elu nwere ike ịkụziri ndị mmadụ ka ha si n'otu ebe nke ọdụ ụgbọ elu gaa n'ọzọ ma ọ bụrụ na ọ dị mkpa, dịka ọmụmaatụ mgbe ha kwesịrị ịgafe na ọrụ kọstọm.

Anyị nwere ike ịhụ na ntụnyere ọdụ ụgbọ elu bara uru n'oge nkuzi ndị ọzọ. Buru n'uche njikọ ndị a ka anyị na-aga:

  1. Ndị mmadụ = ngwugwu
  2. Firewall = ọdụ ụgbọ elu
  3. Mba #1 = Netwọk #1
  4. Mba #2 = Netwọk #2
  5. Iwu ọdụ ụgbọ elu nke ndị ọrụ na-akwado = iwu firewall

Iptables - Ihe ndabere

N'ọkwa dị ala, ọ bụ kernel n'onwe ya nke \kpebiri ihe a ga-eme na ngwugwu dabere na iwu agbakọtara na agbụ, ma ọ bụ ahịrịokwu Agbụ ígwè ndị a na-akọwa ihe omume kwesịrị ime mgbe ngwugwu dakọtara na njirisi nke ha akọwapụtara.

Ihe mbụ iptables mere ga-agụnye ikpebi ihe a ga-eme na ngwugwu:

  1. Nabata ya (ka ọ gafere na netwọkụ anyị)?
  2. Jụ ya (gbochie ya ịnweta netwọkụ anyị)?
  3. Tụgharịa ya (na agbụ ọzọ)?

Naanị ma ọ bụrụ na ị na-eche ihe kpatara eji akpọ ngwá ọrụ a iptables, ọ bụ n'ihi na a na-ahazi ụdọ ndị a na tebụl, na tebụ nzacha bụ nke a maara nke ọma na nke dị na ya. eji mejuputa nzacha ngwungwu ya na ụdọ ndabara atọ ya:

1. INPUT yinye a na-ejikwa ngwugwu na-abata na netwọkụ, nke a kara aka maka mmemme mpaghara.

2. A na-eji eriri OUTPUT nyochaa ngwugwu sitere na netwọk mpaghara, nke a ga-eziga n'èzí.

3. Agbụ Gaa n’ihu na-ahazi ngwugwu ndị a ga-ebuga n’ebe ọzọ (dị ka ọ dị n’ihe gbasara router).

Maka nke ọ bụla n'ime agbụ ndị a enwere amụma ndabara, nke na-ekpebi ihe a ga-eme na ndabara mgbe ngwugwu adabaghị na iwu ọ bụla dị na yinye. Ị nwere ike ịlele iwu emepụtara maka yinye ọ bụla yana amụma ndabara site na iji iwu a:

# iptables -L

Amụma dị ka ndị a:

  1. Nabata → ekwe ka ngwugwu ahụ gafee. A na-ahapụ ngwugwu ọ bụla na-adabaghị n'iwu ọ bụla dị n' yinye n'ime netwọk.
  2. DROP → tufuo ngwugwu ahụ nwayọ. Akpa ọ bụla na-adabaghị na iwu ọ bụla dị n' yinye a na-egbochi ịbanye na netwọk.
  3. Ịjụ → jụrụ ngwugwu ahụ wee weghachi ozi na-enye ozi. Nke a karịsịa anaghị arụ ọrụ dị ka iwu ndabara. Kama, ọ bụ iji mejuo iwu nzacha ngwugwu.

Mgbe a bịara n'ịkpebi iwu ị ga-emejuputa atumatu, ịkwesịrị ịtụle Uruna cons nke ụzọ ọ bụla dị ka akọwara n'elu - mara na ọ nweghị otu dabara adaba. - ihe ngwọta niile.

Iji tinye iwu na firewall, kpọọ iwu iptables dị ka ndị a:

# iptables -A chain_name criteria -j target

ebee,

  1. -A na-anọchi anya Append (tinye iwu ugbu a na njedebe nke yinye).
  2. chain_name bụ INPUT, OUTPUT, ma ọ bụ gawa n'ihu.
  3. ebumnuche bụ omume, ma ọ bụ iwu, itinye n'ọrụ na nke a (nabata, REJECT, ma ọ bụ DROP).
  4. criteria bụ nhazi ọnọdụ nke aga-enyocha ngwugwu ndị ahụ. Ọ nwere opekata mpe otu (yikarịrị karịa) nke ọkọlọtọ ndị a. Nhọrọ n'ime brackets, nke kewara site na ogwe kwụ ọtọ, dabara na ibe ya. Ndị ọzọ na-anọchi anya mgba ọkụ nhọrọ:

[--protocol | -p] protocol: specifies the protocol involved in a rule.
[--source-port | -sport] port:[port]: defines the port (or range of ports) where the packet originated.
[--destination-port | -dport] port:[port]: defines the port (or range of ports) to which the packet is destined.
[--source | -s] address[/mask]: represents the source address or network/mask.
[--destination | -d] address[/mask]: represents the destination address or network/mask.
[--state] state (preceded by -m state): manage packets depending on whether they are part of a state connection, where state can be NEW, ESTABLISHED, RELATED, or INVALID.
[--in-interface | -i] interface: specifies the input interface of the packet.
[--out-interface | -o] interface: the output interface.
[--jump | -j] target: what to do when the packet matches the rule.

Ka anyị tinye ihe niile n'ime ihe atụ 3 kpochapụwo site na iji ọnọdụ nnwale ndị a maka abụọ mbụ:

Firewall: Debian Wheezy 7.5 
Hostname: dev2.gabrielcanepa.com
IP Address: 192.168.0.15

Source: CentOS 7 
Hostname: dev1.gabrielcanepa.com
IP Address: 192.168.0.17

Na nke a maka ihe atụ ikpeazụ

NFSv4 server and firewall: Debian Wheezy 7.5 
Hostname: debian
IP Address: 192.168.0.10

Source: Debian Wheezy 7.5 
Hostname: dev2.gabrielcanepa.com
IP Address: 192.168.0.15

Anyị ga-ebu ụzọ kọwaa iwu DROP maka ntinye pings na firewall anyị. Ya bụ, ngwugwu icmp ga-adaba nwayọ.

# ping -c 3 192.168.0.15

# iptables -A INPUT --protocol icmp --in-interface eth0 -j DROP

Tupu ịga n'ihu na akụkụ REJECT, anyị ga-ewepụ iwu niile na yinye INPUT iji hụ na iwu ọhụrụ a ga-anwale ngwugwu anyị:

# iptables -F INPUT
# iptables -A INPUT --protocol icmp --in-interface eth0 -j REJECT

# ping -c 3 192.168.0.15

Anyị ga na-emekọ agbụ OUTPUT ka anyị na-ejikwa okporo ụzọ na-apụ apụ:

# iptables -A OUTPUT --protocol tcp --destination-port 22 --out-interface eth0 --jump REJECT

Gbaa iwu ndị a na sava NFSv4/firewall iji mechie ọdụ ụgbọ mmiri 2049 na 111 maka ụdị okporo ụzọ niile:

# iptables -F
# iptables -A INPUT -i eth0 -s 0/0 -p tcp --dport 2049 -j REJECT
# iptables -A INPUT -i eth0 -s 0/0 -p tcp --dport 111 -j REJECT

Ugbu a, ka anyị mepee ọdụ ụgbọ mmiri ndị ahụ ma hụ ihe na-eme.

# iptables -A INPUT -i eth0 -s 0/0 -p tcp --dport 111 -j ACCEPT
# iptables -A INPUT -i eth0 -s 0/0 -p tcp --dport 2049 -j ACCEPT

Dị ka ị pụrụ ịhụ, anyị nwere ike ịrịgo NFSv4 òkè mgbe imepe okporo ụzọ.

N'ihe atụ ndị gara aga, anyị gosiri otu esi etinye iwu n'agbụ INPUT na OUTPUT. Ọ bụrụ na anyị chọrọ itinye ha n'ọnọdụ eburu ụzọ kọwaa, anyị kwesịrị iji mgba ọkụ -I (karịsịa i) kama.

Ikwesiri icheta na a ga-enyocha iwu otu otu, yana na ntule na-akwụsị (ma ọ bụ na-awụlikwa elu) mgbe a na-ejikọta ụkpụrụ DROP ma ọ bụ anabata. N'ihi nke a, ị nwere ike ịhụ onwe gị na mkpa ịkwaga iwu elu ma ọ bụ ala na ndepụta agbụ dịka ọ dị mkpa.

Anyị ga-eji ihe atụ na-enweghị isi gosi nke a:

Ka anyị tinye iwu ndị a,

# iptables -I INPUT 2 -p tcp --dport 80 -j ACCEPT

na ọnọdụ 2) na yinye INPUT (si otú ahụ na-aga n'ihu #2 dị ka #3)

Iji nhazi nke dị n'elu, a ga-enyocha okporo ụzọ iji hụ ma a ga-eduzi ya na ọdụ ụgbọ mmiri 80 tupu ịlele ọdụ ụgbọ mmiri 2049.

N'aka nke ọzọ, ịnwere ike ihichapụ iwu wee gbanwee ebumnuche nke iwu ndị fọdụrụ ka ọ bụrụ REJECT (iji -R mgba ọkụ):

# iptables -D INPUT 1
# iptables -nL -v --line-numbers
# iptables -R INPUT 2 -i eth0 -s 0/0 -p tcp --dport 2049 -j REJECT
# iptables -R INPUT 1 -p tcp --dport 80 -j REJECT

N'ikpeazụ, ma ọ dịghị ihe ọzọ, ị ga-echeta na ka iwu firewall na-adịgide adịgide, ị ga-achọ ịchekwa ha na faịlụ wee weghachite ha na-akpaghị aka na buut (iji usoro kachasị amasị gị ma ọ bụ nke ahụ. dị maka nkesa gị).

Ịchekwa iwu firewall:

# iptables-save > /etc/iptables/rules.v4		[On Ubuntu]
# iptables-save > /etc/sysconfig/iptables		[On CentOS / OpenSUSE]

Iwu iweghachi:

# iptables-restore < /etc/iptables/rules.v4		[On Ubuntu]
# iptables-restore < /etc/sysconfig/iptables		[On CentOS / OpenSUSE]

N'ebe a, anyị nwere ike ịhụ usoro yiri nke ahụ (ịchekwa na iweghachi iwu firewall site n'aka) site na iji faịlụ dummy a na-akpọ iptables.dump kama nke ndabara dị ka egosiri n'elu.

# iptables-save > iptables.dump

Iji mee mgbanwe ndị a na-adịgide adịgide n'ofe akpụkpọ ụkwụ:

Ubuntu: Wụnye ngwugwu iptables-na-adịgide adịgide, nke ga-ebunye iwu echekwara na faịlụ /etc/iptables/rules.v4.

# apt-get install iptables-persistent

CentOS: Tinye ahịrị 2 ndị a na faịlụ /etc/sysconfig/iptables-config.

IPTABLES_SAVE_ON_STOP="yes"
IPTABLES_SAVE_ON_RESTART="yes"

OpenSUSE: Depụta ọdụ ụgbọ mmiri, protocol, adreesị, na ndị ọzọ (site na rịkọm kewara) na /etc/sysconfig/SuSEfirewall2.

Maka ozi ndị ọzọ rụtụ aka na faịlụ n'onwe ya, nke a na-ekwu nke ukwuu.

Mmechi

Ihe atụ ndị a na-enye n'isiokwu a, ọ bụ ezie na ọ bụghị ekpuchi mgbịrịgba niile na whistles nke iptables, na-eje ozi nke ịkọwapụta otu esi eme ma gbanyụọ okporo ụzọ na-abata ma ọ bụ na-apụ apụ.

Maka ndị bụ ndị na-akwado firewall, buru n'uche na anyị ga-eji ngwa ndị ọzọ kapịrị ọnụ legharịa isiokwu a na akụkụ 10 nke usoro LFCE a.

Enwere onwe gị ime ka m mara ma ị nwere ajụjụ ọ bụla ma ọ bụ kwuo.